From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LLq3Y-00045F-8S for garchives@archives.gentoo.org; Sun, 11 Jan 2009 02:28:04 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 99121E02E8; Sun, 11 Jan 2009 02:28:01 +0000 (UTC) Received: from fk-out-0910.google.com (fk-out-0910.google.com [209.85.128.189]) by pigeon.gentoo.org (Postfix) with ESMTP id 595A8E02E8 for ; Sun, 11 Jan 2009 02:28:01 +0000 (UTC) Received: by fk-out-0910.google.com with SMTP id 18so5253542fks.2 for ; Sat, 10 Jan 2009 18:28:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=N8NWPbaZitmFi1aJ3Gktj/m1w9aSm6YmeLGepcr8SZY=; b=GZ+PLFdLoQkMQjvp7vsNLaL51HkprLhlGMi4GJBtV2LhrFb8Le7SXWKlRqzogtqu30 6rZft3uhL8/Q3M+LnzHHJILyUiIlvgk3H4i+t4YhyfO4IYLLK87UExihUbYzhE8BL3kk cLut1RA1dext8EaVAcOvbXHPTTwnrYcKwEH6o= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=FZ77/c2cLycZlRGs9EnWtfYuInT0iQyqnWlcTrxoYQChKZQ9NCcU81t/yyZZdaJgIg 6onb437nN1bdYNRGt8fFQBbKj497fER9pFmzBt8lm+74THBQkTdPQcx2Flg8xOvedRhS efHRRzGtlyWNvAfYGA/pm1aiSl/FMjV3oykBY= Received: by 10.181.214.13 with SMTP id r13mr10364361bkq.202.1231640879755; Sat, 10 Jan 2009 18:27:59 -0800 (PST) Received: by 10.181.16.3 with HTTP; Sat, 10 Jan 2009 18:27:59 -0800 (PST) Message-ID: <49bf44f10901101827y1a2bdfdbn419a23ec5a04ddd2@mail.gmail.com> Date: Sat, 10 Jan 2009 18:27:59 -0800 From: Grant To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Restricting Firefox website access In-Reply-To: <20090111070536.52dece68@coercion> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <49bf44f10901071344l3f081b8dmaa6353b41fb59f4@mail.gmail.com> <58965d8a0901071354l76bea08o328361031ff58ac8@mail.gmail.com> <854dca5c0901081257u25c6dee0j7871901221592a95@mail.gmail.com> <49bf44f10901091040t6c1920c4kbd504920e256ac20@mail.gmail.com> <20090110101854.4ed996d1@fraggod.net> <49bf44f10901100948x5ad0087ag93feadefce0385ad@mail.gmail.com> <20090111070536.52dece68@coercion> X-Archives-Salt: a0a96070-b0a8-443a-a96d-2a3cb8f2306e X-Archives-Hash: 9a470f71bf67aa0c1358405854058fba > Grant wrote: > >> That sounds good, how can I do that? > > iptables module "owner" handles that stuff, just "man iptables" if > you'll have any trouble. > > iptables -A OUTPUT -m owner --uid-owner someuser -m tcp --dport http -j REJECT > > Alternatively, you can use numeric uid or match user group: > > iptables -A OUTPUT -m owner --gid-owner users -m tcp --dport http -j REJECT > > As simple as that ;) > > If blocking every possible user is too much trouble or you wish to > block just firefox, but not wget to http port for _all_ users (not the > same case as emerge from root) you can write a simple SUID wrapper for > firefox binary, which changes group to restricted one (but leaves uid > and home unchanged), then launches true firefox binary, to which only > that group has access. > > -- > Mike Kazantsev // fraggod.net Thanks Mike, that sounds like exactly what I should do. - Grant